Not option to select CA



  • Hello, I am using pfSense 2.3.1_p5, whatever the latest release is. When I go to create a mobile IPSEC tunnel for the purposes of connecting a Windows client, I am not given the option to select a corresponding CA for the cert for Authentication. I know everything else is correct, per the logs, it errors out on CA is unknown, it's not just auto populating because I can see in the config, the CA option is blank, see below. Any ideas?

    <certref>57696cb3c0e23</certref>
    <caref></caref>



  • The CA config is only for certain specific types, sounds like you're using a mode where it isn't relevant to specify the CA cert. What's the specific error you're getting?



  • The error I get on the Windows client is a 13801: IKE authentication credentials are unacceptable. I did the registry key for disabling EKU checking.

    The error I get in pfSense IPSEC log is Jun 22 08:22:14 charon 11[IKE] <16> received 25 cert requests for an unknown ca

    When I go to the config page VPN -> IPsec -> Mobile Clients -> Edit Phase 1
    under Phase 1 Proposal (Authentication), my authentication method is EAP-MSChapv2, which should require you specify a cert and it's CA, hence why one would have to import the CA cert to the mobile client.

    (When EAP_MSChapv2 is selected) After the section where you select the cert, there is the 1-2 pixel space then 2-3 pixels of what would be the start of a new section. Selecting other authentication methods either completes and adds the option to select a CA or takes away that 2-3 pixel space of what would be another section.

    Help me fix this, I've got a Smokey and the Bandit style bet going here, leveraging pfSense.



  • It knows the CA by which cert you pick, no need to configure it. You probably missed part of the client instructions, either didn't import the CA, or didn't import it to the right place.


Log in to reply